12/08/2016

We are a very mobile society and love our Wi-Fi connections, especially those we don't have to pay for. Security analyst Graham Cluley has some recommendations for protecting your router and home network, although the suggestions are appropriate for business networks too.

Don't use a router supplied by your ISP: These devices are often less secure than commercially available routers. For instance, many of them enable remote support via the use of hardcoded credentials that are impossible to change. Depending on the vendor, they also might not receive patches on a regular basis.

Change the default admin login credentials: Mirai and botnets like it work by scanning IoT products for default login credentials. If they find what they're looking for, the malware logs in and enlists the devices into their botnet. Don't let this happen! Set a unique username with a strong password. It's that simple.

Choose a strong Wi-Fi password: Why stop there? When you set up your Wi-Fi network, make sure you set a strong password to deter remote attackers. It would be a good idea to couple that password with the use of WPA2 as your router's security protocol.

Update your router's firmware on a regular basis: Once the credentials for your router and network are set, make sure you register your product so that you can receive firmware updates whenever they're released. You can and should implement those security fixes from the router's web interface.

Be careful when logging into the router's web interface: Whenever you access the router from the web, make sure you do so in private mode so that the browser doesn't save any cookies. Also, make sure the browser doesn't save your router's username and password. You don't want those bits of information inadvertently falling into the wrong hands should someone obtain access to your computer!

Don't enable services you don't need: Telnet, SSH, UPnP... few people need those services, but plenty activate them anyway. Don't be one of those people! There's no reason to expose yourself to additional risk if you have no use for those services.

In item #3, I would also suggest that WPA2 encryption be a required configuration for your Wi-Fi and not an option. Graham has a lot of good suggestions here and promises to post more advanced recommendations in a future post.

12/07/2016

More and more people are using Uber instead of taxis, although I don't understand the attraction. Surge pricing, independent contractor status, background check accuracy, GPS tracking and insurance liability coverage are just some of the concerns I have with the Uber business model. Apparently, there are other privacy concerns that most users are not aware of. Uber has changed the app's location tracking permissions (one of those terms of service items you never read). Instead of just tracking your location while you have the app open and active, it now tracks your location in the background as well.

Uber claims that they track your location 5 minutes before and after the ride to better predict where to pick you up and drop you off in the future. In the words of Sherman T. Potter, "Horse Hockey!" According to BGR, "…Uber could track you indefinitely, as long as the app is in the background. Of course, the company claims it's not doing that, and as TechCrunch reports, the only way Uber could enable its five minute tracking buffer was to ask for full background location tracking permissions upfront, but at this point you're essentially taking the company's word for it that it's not tracking you beyond the time it says it will."

12/06/2016

Microsoft hasn't actually announced a Surface 5, but the rumor mill is very active. BGRreports that a Surface Pro 5 would likely be a viable alternative to the MacBook Pro. Some of the rumored upgrades include more RAM, faster processor, more storage space, upgraded stylus, wireless charging, USB Type-C and Thunderbolt 3 support and fingerprint sensor. We'll have to see, but perhaps you should hold off on your Surface purchase this Christmas season and wait for the Surface 5.

12/05/2016

Another day…another bug. This one impacts Apple devices running iOS 10.1.1. The exploit discovered by Vulnerability Lab security analyst Benjamin Kunz Mejri uses a buffer overflow exploit and some iPad-specific bugs to bypass Activation Lock in iOS 10.1.1. According to a report in ars technica, "When you're setting up a freshly reset iPad with Activation Lock enabled, the first step is to hit "Choose Another Network" when you're asked to connect to Wi-Fi. Select a security type, and then input a very, very long string of characters into both the network name and network password fields (copying and pasting your increasingly long strings of characters can speed this up a bit). These fields were not intended to process overlong strings of characters, and the iPad will gradually slow down and then freeze as the strings become longer. During one of these freezes, rotate the tablet, close its Smart Cover for a moment, and then re-open the cover. The screen will glitch out for a moment before displaying the Home screen for a split second, at which point a well-timed press of the Home button can apparently bypass Activation Lock entirely (but it will have to be extremely well-timed, since the first-time setup screen will pop back up after a second)."

12/01/2016

A post on ars technica announces an update available for Firefox and Tor browsers. The zero-day vulnerability is being used to execute malicious code on the computers of people using Tor and Firefox. It appears that the attacks are primarily aimed at Tor users, but since the Tor browser is based on the open source Firefox browser developed by the Mozilla Foundation, attacks on Firefox are also possible. The vulnerability has been fixed in version 50.0.2 for Firefox users. The update to version 6.0.7 of the Tor browser fixes the problem. The message here is to update the browsers for Firefox and Tor now.

11/30/2016

BitLocker is a very good encryption method included free with Windows 10. However, Microsoft needs to fix a recently discovered bug that allows you to bypass BitLocker. All an attacker needs to do is hold SHIFT+F10 during the Windows 10 update procedure. Security researcher Sami Laiho discovered this simple method of bypassing BitLocker, wherein an attacker can open a command-line interface with System privileges by hitting the key combination while Windows 10 installs an OS update. This is another reason to change the default configuration of Windows 10. Most users leave the default as installing updates automatically, typically early in the morning while everybody (except the bad guys) are sleeping. Someone with physical access to your computer could then take advantage of this bug. A solution to the problem is to download updates automatically, but notify the user when ready to install. A user could then install the update(s) while physically present and observe the update process. While the fix is simple, I'll guess most users are just too lazy and will leave their Windows 10 computers vulnerable to this attack.

11/29/2016

It is now official. Microsoft will stop supporting SHA-1 in Internet Explorer 11 and the Edge browser on February 14, 2017. How fitting that the death of SHA-1 will be on Valentine's Day. After that date, users will be shown an invalid certificate warning and have to take extra steps to reach the site if they so choose. SHA-1 is known to have weaknesses and exposes users to spoofing and man-in-the-middle attacks, which is why Google Chrome and Firefox will also drop support at the end of January. It's a good thing that the browsers will no longer support SHA-1, but the root problem is with websites themselves. Estimates are that 35% of websites still use SHA-1 certificates. Until website operators upgrade the SHA-1 certificates, we'll be getting a ton of warning boxes.

11/28/2016

Ever wonder what that password was for the Wi-Fi network that you saved on your Windows computer? First off, you shouldn't be saving Wi-Fi networks for those networks you only connect to on an occasional basis, but that's the topic of another post. There's actually a process where you can reveal the Wi-Fi password for previously saved networks.

Right-click the network icon on the toolbar and select "open network and sharing center."

In the resulting window, click "Change adapter settings," right-click on the Wi-Fi network, and select "status" on the drop-down menu.

In the resulting pop-up window, select "Wireless Properties," then click on the Security tab.

You should see a check box beside "show characters." Check this box to reveal your password. (Note: Windows 10 refers to this as a network security key instead of a password.)

The above steps will only work if you are already connected to the network. You'll have to type in commands for networks you are not connected to. The first step is to launch a command prompt as an administrator. Type the command netsh wlan show profile to expose all the saved network names. Once you see the name of the Wi-Fi network you are interested in, type the following command replacing "NETWORK NAME" with the desired network. netsh wlan show profile "NETWORK NAME" key=clear

11/22/2016

Don't always blame the phone manufacturer for poor battery life, although Apple has a historically poor track record. Besides poor hardware design, applications may be the reason for deplorable battery life. There have been many reports that Facebook is responsible for draining your juice, but that issue was supposedly fixed. Well, maybe not. BGRreports that uninstalling the Facebook app could get 20% more smartphone battery life. The blog post describes the results of uninstalling the Facebook app on several different model phones. In every case, battery life improvement was significant once the app was uninstalled. Diehard Facebook fans will probably suffer with a draining battery, but there are other options. Use the Chrome browser on your device to access Facebook or install Metal, an Android app that that's basically just a wrapper for Facebook's mobile site.

Good thing I'm not a Facebook user. I just have to remember to shut down the DirecTV app since it's a battery hog of its own.

11/21/2016

One of the things we do at Sensei is mobile forensics. As a result, we've been analyzing iPhones for many years. We always do a "happy dance" when we get iPhones in our lab, primarily because they are so evidence rich. Apple has always saved more data than any other mobile device we've ever seen, so we weren't surprised to read the latest news about Apple logging call information in iCloud. Apple calls it a feature, but some consider it a security flaw. The issue is Apple's logging of call information for a four month period. The technical reason for saving the data is so that it can be synchronized and accessed from all of your Apple devices. Is that a feature or an excuse to justify gathering user data? Call me cynical, but I'll stick with my non-Apple devices.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.